[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Selinux and package guidelines



Kevin Kofler wrote:
dragoran <drago01 <at> gmail.com> writes:
David Woodhouse wrote:
[...]
 *SElinux*,
[..]
thx for mentioning this I suggest that any package that create avcs should not pass a review. We have suchs packages in extras and nothing in the review process takes care of selinux integration which is wrong.

So you want to force reviewers to run with SELinux enabled? That's going to reduce the number of reviewers significantly and increase the load on the review queue even more. I for one have SELinux disabled (completely, so I don't get even permissive AVCs) and I'm surely not the only one. Reviewing is already tedious enough as it stands (it took me over an hour to review Strigi, and it already had some quick pre-review comments by Rex Dieter and me). (It does work though, for example I caught some plugin .so files being mistaken for symlinks and thus accidentally shipped in strigi-devel rather than in the main strigi package, that would definitely have broken things for the end user. So I'm not complaining about the current process, just about your suggestion to add that SELinux requirement.)

        Kevin Kofler

I think the point being is that someone should test with SELinux enabled. (Especially the packager.) Having these packages go out and blowing up on an SELinux enabled system, causes me no end of headaches. I would like to see the guidelines eventually state that any network facing daemon would come with an SELinux policy for it. But requiring the app to at least start and stop and maybe run a few rudimentary tests with SELinux in enforcing mode.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]